Hundreds of WordPress Sites Compromised to Serve Phoenix Exploit Kit

The
latest malicious campaign begins at the point where cybercriminals
compromise a few hundred websites based on WordPress 3.2.1 and alter
them to redirect visitors to a domain that serves the malicious Phoenix
Exploit Kit.

Using a clever strategy, the masterminds that run this scheme didn’t compromise the sites’ main page, instead they hid a malicious HTML page to the Uploads folder so it wouldn’t be detected to easily.

Since they’re using the compromised sites only to bypass URL reputation
mechanisms, spam filters and other security policies, they’re not
relying on regular users to visit the infected pages, instead they send
out spam emails containing a link to the webpage that serves the
exploit kit.

pay per click advertisingWebsense described
these emails not long ago, reporting that they’re designed to confuse
the recipient and determine him to click on the link without giving it
too much thought.

“Hello! Look, I’ve received an unfamiliar bill, have you ordered
anything? [LINK] Please reply as soon as possible, because the amount
is large and they demand the payment urgently,” reads the malicious
message.

Once the link is clicked, the user, that at this stage becomes a
victim, is taken to the compromised site redirecting to a Russian
domain where the exploit is hosted.

The Phoenix Exploit Kit probes for vulnerabilities in Internet
Explorer, Adobe Reader, Flash and Java, these being the applications
that users fail to update most often.

pay per click advertising
An interesting observation made by the experts is that the exploit kit
is not designed to target Google Chrome customers. For no obvious
reason, the source code is written in a way to make sure that those who
utilize Chrome are excluded.

Security solutions providers are keeping close tabs on these malicious
elements, but to make sure they’re protected, users are advised never
to click on suspicious links that come in suspicious emails.